b'      Department of Homeland Security\n\n\n\n\n    Information Technology Management Letter for the\n   Federal Law Enforcement Training Center Component\n     of the FY 2012 Department of Homeland Security\n                 Financial Statement Audit\n\n\n\n\nOIG-13-62                                     April 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n                                      April 4, 2013\n\n\nMEMORANDUM FOR:              Sandy Peavy\n                             Chief Information Officer\n                             Federal Law Enforcement Training Center\n\n                             Alan Titus\n                             Chief Financial Officer\n                             Federal Law Enforcement Training Center\n\nFROM:                        Frank Deffer\n                             Assistant Inspector General\n                             Office of Information Technology Audits\n\nSUBJECT:                     InformationfTechnologyfManagementfLetterfforfthef\n                             FederalfLawfEnforcementfTrainingfCenterfComponentfoff\n                             thefFYf2012fDepartmentfoffHomelandfSecurityfFinancialf\n                             StatementfAudit\n\nAttached for your action is our final report, InformationfTechnologyfManagementfLetterf\nforfthefFederalfLawfEnforcementfTrainingfCenterfComponentfoffthefFYf2012fDepartmentf\noffHomelandfSecurityfFinancialfStatementfAudit.ffThe independent accounting firm\nKPMG LLP (KPMG) performed the audit of DHS\xe2\x80\x99 financial statements as of September\n30, 2012, and prepared this information technology (IT) management letter.ff\n\nKPMG is responsible for the attached IT management letter dated December 12, 2012,\nand the conclusion expressed in it. We do not express an opinion on DHS\xe2\x80\x99 financial\nstatements or internal controls or conclusions on compliance with laws and regulations.\nThe DHS management concurred with all recommendations.\n\nConsistent with our responsibility under the InspectorfGeneralfAct, we are providing\ncopies of our report to appropriate congressional committees with oversight and\nappropriation responsibility over the Department of Homeland Security. We will post\nthe report on our website for public dissemination.\n\nPlease call me with any questions, or your staff may contact Sharon Huiswoud, Director,\nInformation Systems Audit Division, at (202) 254-5451.\n\nAttachment\n\n\n\n\n\x0c                                  KPMG LLP\n                                  Suite 12000\n                                  1801 K Street, NW\n                                  Washington, DC 20006\n\n\nApril 3, 2013\n\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nFederal Law Enforcement Training Center\n\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or Department) as\nof September 30, 2012, and the related statements of net cost, changes in net position, and custodial\nactivity, and combined statement of budgetary resources for the year then ended (referred to as the \xe2\x80\x9cfiscal\nyear (FY) 2012 financial statements\xe2\x80\x9d). We were also engaged to audit the Department\xe2\x80\x99s internal control\nover financial reporting of the FY 2012 financial statements. The objective of our audit engagement was\nto express an opinion on the fair presentation of the FY 2012 financial statements and the effectiveness of\ninternal control over financial reporting of the FY 2012 financial statements.\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 14, 2012, included internal control deficiencies identified during our audit engagement that, in\naggregate, represented a material weakness in information technology (IT) controls and financial system\nfunctionality at the DHS Department-wide level. This letter represents the separate limited distribution\nreport mentioned in that report, of matters related to the Federal Law Enforcement Training Center\n(FLETC).\nDuring our audit engagement, we noted certain matters in the areas of access controls, configuration\nmanagement, and segregation of duties with respect to FLETC\xe2\x80\x99 financial systems general information\ntechnology controls (GITC). These matters are described in the General IT Control Findings and\nRecommendations section of this letter.\nThe comments described herein have been discussed with the appropriate members of management, or\ncommunicated through a Notice of Finding and Recommendation (NFR), and are intended For Official\nUse Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained during our audit engagement to\nmake comments and suggestions that we hope will be useful to you. We have not considered internal\ncontrol since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key FLETC financial systems within the scope of the FY 2012 DHS financial statement\naudit engagement in Appendix A; a description of each internal control finding in Appendix B; and the\ncurrent status of the prior year NFRs in Appendix C. Our comments related to financial management and\nreporting internal controls (comments not related to IT) have been presented in a separate letter to the\nOffice of Inspector General (OIG) and the DHS Chief Financial Officer.\nThis report is intended solely for the information and use of DHS management, DHS OIG, U.S. Office of\nManagement and Budget, U.S. Government Accountability Office (GAO), and the U.S. Congress, and is\nnot intended to be and should not be used by anyone other than these specified parties.\nVery truly yours,\n\n\n\n\n                                  KPMG LLP is a Delaware limited liability partnership,\n                                  the U.S. member firm of KPMG International Cooperative\n                                  (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0c                               Department of Homeland Security\n\n                          Federal Law Enforcement Training Center\n\n                           Information Technology Management Letter\n                                      September 30, 2012\n\n\n\n                  INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                      TABLE OF CONTENTS\n\n                                                                                            Page\n\nObjective, Scope, and Approach                                                               1\n\nSummary of Findings and Recommendations                                                      2\n\nGeneral IT Control Findings and Recommendations                                              3\n\n   FLETC                                                                                     3\n\n       Findings                                                                              3\n\n             Access Controls                                                                 3\n\n             Segregation of Duties                                                           3\n\n       Recommendations                                                                       3\n\n   Intelligence and Analysis (I&A) / Operations (Ops) (I&A/Ops)                              3\n\n       Findings                                                                              3\n\n             Configuration Management                                                        3\n\n             Access Controls                                                                 4\n\n       Recommendations                                                                       4\n\nApplication Controls                                                                         4\n\n\n                                          APPENDICES\n\nAppendix                                       Subject                                      Page\n\n            Description of Key FLETC and I&A/Ops Financial Systems and IT Infrastructure\n   A\n            within the Scope of the FY 2012 DHS Financial Statement Audit \n\n                                                                                             5\n\n   B        FY 2012 Notices of IT Findings and Recommendations at FLETC and I&A/Ops          7\n\n            Status of Prior Year Notices of Findings and Recommendations and Comparison \n\n   C\n            to Current Year Notices of Findings and Recommendations (at FLETC only)\n                                                                                             9\n\n\n\n\n           Information Technology Management Letter for the FLETC Component of the\n\n               FY 2012 Department of Homeland Security Financial Statement Audit \n\n\x0c                                 Department of Homeland Security\n\n                            Federal Law Enforcement Training Center\n\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our engagement to audit the financial statements of DHS as of and for the year ended\nSeptember 30, 2012, we performed an evaluation of general Information Technology (IT) controls\n(GITCs) at FLETC and I&A/Ops, to assist in planning and performing our audit engagement. FLETC\nprovides financial management services to I&A/Ops and hosts a separate Momentum environment, which\nwas developed to mirror the FLETC Momentum environment. The Federal Information System Controls\nAudit Manual (FISCAM), issued by the GAO, formed the basis of our GITC evaluation procedures. The\nscope of the GITC evaluation is further described in Appendix A.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nfederal agency. FISCAM defines the following five control functions to be essential to the effective\noperation of GITCs and the IT environment.\n\n   Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n   Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\n   Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provides reasonable assurance\n   that systems are configured and operating securely and as intended.\n\n   Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\n   Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our GITC audit procedures, we conducted a review over the FLETC\xe2\x80\x99s technical security\ntesting for key network and system devices, and performed testing over key financial application controls\nin the FLETC environment.\n\nIn addition to testing FLETC\xe2\x80\x99s general control environment, we performed application control tests on a\nlimited number of FLETC\xe2\x80\x99s financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\n        Application Controls (APC) - Application controls are the structure, policies, and procedures that\n        apply to separate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n          Information Technology Management Letter for the FLETC Component of the\n\n              FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                          Page 1\n\n\x0c                                 Department of Homeland Security\n\n                            Federal Law Enforcement Training Center\n\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2012, FLETC took corrective action to address one of the IT control weaknesses from the\nprior year. FLETC decommissioned the Student Information System, which was previously in the scope\nof the financial audit. However, during FY 2012, we identified IT general control weaknesses that could\npotentially impact FLETC\xe2\x80\x99s financial data.\n\nFLETC provides financial management services to I&A/Ops and hosts a separate Momentum\nenvironment, which was developed to mirror the FLETC Momentum environment. However, we found\nthat the most significant findings from a financial statement audit perspective were related to the\nI&A/Ops Momentum database access control and configuration management. In addition, we noted that\nafter several years of improved processes over technical security testing, FLETC has inadequate patch\nmanagement over servers and workstations. Collectively, the IT control deficiencies limited FLETC\xe2\x80\x99s\nability to ensure that critical financial and operational data were maintained in such a manner to ensure\nconfidentiality, integrity, and availability.\n\nOf the 4 findings identified during our FY 2012 testing; 3 were new IT findings. These findings represent\ncontrol deficiencies in three of the five FISCAM key control areas: configuration management, access\ncontrols, and segregation of duties. Specifically, these control deficiencies include the need for:\n\n    1. Better designed and operating configuration management;\n    2. Effective segregation of duties controls within a financial application;\n    3. Patch management; and\n    4. Stronger account management.\n\nThese control deficiencies may increase the risk that the confidentiality, integrity, and availability of\nsystem controls and FLETC financial data could be exploited thereby compromising the integrity of\nfinancial data used by management as reported in DHS\xe2\x80\x99 consolidated financial statements. While the\nrecommendations made by KPMG should be considered by FLETC, it is the ultimate responsibility of\nFLETC management to determine the most appropriate method(s) for addressing the weaknesses\nidentified based on their system capabilities and available resources.\n\n\n\n\n           Information Technology Management Letter for the FLETC Component of the\n\n               FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                           Page 2\n\n\x0c                                 Department of Homeland Security\n\n                            Federal Law Enforcement Training Center\n\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n\n             GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFLETC\n\nFindings:\n\nDuring our engagement to audit the FY 2012 DHS financial statements, we identified the following\nFLETC GITC control deficiencies.\n\nAccess Controls\n   Security patch management deficiencies were identified during the vulnerability assessment on the\n   platforms supporting the key financial applications and general support systems.\nSegregation of Duties\n   Procedures to enforce least privilege and segregation of duties to Momentum were not effectively\n   managed.\n\nRecommendations:\n\nWe recommend that the FLETC Chief Information Officer (CIO) and Chief Financial Officer (CFO), in\ncoordination with the DHS Office of Chief Financial Officer (OCFO) and the DHS Office of the Chief\nInformation Officer (OCIO), make the following improvements to FLETC\xe2\x80\x99s financial management\nsystems and associated information technology security program.\n\nFor Access Controls\n   Enforce existing vulnerability management procedures which require updating security patches in a\n   timely manner.\nFor Segregation of Duties\n   Enforce policies and procedures to ensure that assigned roles and responsibilities are commensurate\n   with personnel job functions.\n\nI&A/Ops\n\nFindings:\n\nDuring our engagement to audit the FY 2012 DHS financial statements, we identified the following\nI&A/Ops IT and financial system control deficiencies that, while they were not a contributing factor to\nthe material weaknesses at the Department level, need improvement.\n\nConfiguration Management\n   Evidence to support that Momentum I&A/Ops system changes were approved and tested prior to\n   movement into the production environment was not maintained.\n\n\n\n\n            Information Technology Management Letter for the FLETC Component of the\n\n                FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                            Page 3\n\n\x0c                                Department of Homeland Security\n\n                           Federal Law Enforcement Training Center\n\n                            Information Technology Management Letter\n                                       September 30, 2012\n\n\nAccess Controls\n   Access controls within the I&A/Ops Momentum environment were not effectively managed:\n   -   User access was not consistently provisioned in accordance with \xe2\x80\x9cleast privilege\xe2\x80\x9d principles;\n       specifically, two I&A/Ops employees had access privileges in excess of VIEW;\n   -   Profile change approvals were not consistently documented; specifically, one of two users\n       selected had his or her access privileges modified without having formally documented approval;\n   -   User access was not consistently revoked upon employee termination; specifically, two FLETC\n       personnel retained active I&A/Ops Momentum access following their separation; and,\n   -   User access was not recertified.\n\nRecommendations:\n\nWe recommend that the FLETC CIO and CFO, in coordination with the DHS OCFO and the DHS OCIO,\nmake the following improvements to FLETC\xe2\x80\x99s financial management systems and associated information\ntechnology security program.\n\nFor Configuration Management\n   Develop and implement policies and procedures to approve and test I&A/Ops Momentum changes\n   prior to movement into the production environment.\nFor Access Controls\n   Develop and implement policies and procedures to formalize access management and user profile\n   monitoring for the Momentum I&A/Ops environment.\n\n\n                                   APPLICATION CONTROLS\n\nWe did not identify any findings in the area of application controls during the fiscal year 2012 FLETC\naudit engagement.\n\n\n\n\n          Information Technology Management Letter for the FLETC Component of the\n\n              FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                          Page 4\n\n\x0c                                                                          Appendix A\n                         Department of Homeland Security\n\n                    Federal Law Enforcement Training Center\n\n                     Information Technology Management Letter\n                                September 30, 2012\n\n\n\n\n                                 Appendix A\n\nDescription of Key FLETC and I&A/Ops Financial Systems and IT \n\n  Infrastructure within the Scope of the FY 2012 DHS Financial \n\n                         Statement Audit \n\n\n\n\n\n      Information Technology Management Letter for the FLETC Component of the\n\n          FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                      Page 5\n\n\x0c                                                                                           Appendix A\n                                Department of Homeland Security\n\n                           Federal Law Enforcement Training Center\n\n                            Information Technology Management Letter\n                                       September 30, 2012\n\nBelow is a description of significant FLETC financial management systems and supporting IT\ninfrastructure included in the scope of FLETC\xe2\x80\x99s FY 2012 financial statement audit.\nFinancial Accounting and Budgeting System (FABS)\nThe FLETC FABS application is an all-in-one financial processing system. It functions as the\ncomputerized accounting and budgeting system for FLETC. FLETC provides financial management\nservices to I&A/Ops and hosts a separate Momentum environment, which was developed to mirror the\nFLETC Momentum environment. The FABS system exists to provide all of the financial and budgeting\ntransactions in which FLETC is involved. An application called \xe2\x80\x9cTuxedo,\xe2\x80\x9d also resides on a separate\nserver. The Tuxedo middleware holds 67 executable files. These files are scripts that process daily\ninformation and are not directly accessible by users. The FABS application and servers reside on the\nFLETC Local Area Network in a Hybrid physical network topology and are accessible from four sites:\nGeorgia (GA), Washington DC, New Mexico, and Maryland.\nGlynco Administrative Network (GAN)\nThe purpose of the GAN is to provide access to IT network applications and services to include voice to\nauthorized FLETC personnel, contractors and partner organizations located at the Georgia facility. It\nprovides authorized users access to email, internet services, required applications such as financial\nmanagement systems, procurement systems, property management systems, video conference, and other\nnetwork services and shared resources. The GAN is located in GA.\n\n\n\n\n          Information Technology Management Letter for the FLETC Component of the\n\n              FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                          Page 6\n\n\x0c                                                                         Appendix B\n                        Department of Homeland Security\n\n                   Federal Law Enforcement Training Center\n\n                    Information Technology Management Letter\n                               September 30, 2012\n\n\n\n\n                                Appendix B\n\nFY 2012 Notices of IT Findings and Recommendations at FLETC \n\n                         and I&A/Ops\n\n\n\n\n\n     Information Technology Management Letter for the FLETC Component of the\n\n         FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                     Page 7\n\n\x0c                                                                                                                      Appendix B\n                                             Department of Homeland Security\n\n                                        Federal Law Enforcement Training Center\n\n                                         Information Technology Management Letter\n                                                    September 30, 2012\n\n                                                                                                                 New     Repeat\nFY 2011 NFR #                               NFR Title                                  FISCAM Control Area\n                                                                                                                 Issue    Issue\nFLETC-IT-12-01   Ineffective Segregation of Duties Controls for the Momentum System     Segregation of Duties              X\nFLETC-IT-12-02   FLETC Servers and Workstations have Inadequate Patch Management      Configuration Management    X\nMGA-IT-12-03      I&A/Ops Momentum Access Controls are not Consistently Applied           Access Controls         X\nMGA-IT-12-04      Configuration Changes for the I&A/Ops Momentum System are not       Configuration Management    X\n                                     Consistently Documented\n\n\n\n\n                      Information Technology Management Letter for the FLETC Component of the\n\n                          FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                                      Page 8\n\n\x0c                                                                          Appendix C\n                         Department of Homeland Security\n\n                    Federal Law Enforcement Training Center\n\n                     Information Technology Management Letter\n                                September 30, 2012\n\n\n\n\n                                 Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n       Comparison to Current Year Notices of Findings and \n\n                Recommendations (at FLETC only) \n\n\n\n\n\n      Information Technology Management Letter for the FLETC Component of the\n\n          FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                      Page 9\n\n\x0c                                                                                                              Appendix C\n                                            Department of Homeland Security\n\n                                       Federal Law Enforcement Training Center\n\n                                        Information Technology Management Letter\n                                                   September 30, 2012\n\n                                                                                                    Disposition\n    NFR #                                            Description\n                                                                                           Closed                 Repeat\nFLETC-IT-11-01   Ineffective Logical Access Controls over the GAN                               X\nFLETC-IT-11-02   Ineffective Segregation of Duties controls for the Momentum System                                 X\n\n\n\n\n                     Information Technology Management Letter for the FLETC Component of the\n\n                         FY 2012 Department of Homeland Security Financial Statement Audit \n\n                                                    Page 10\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'